Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

I really just wanted to archive this somewhere else than in my mailbox where it keeps getting lost even though I'm asked for it every 2 years or so 🙂

2014-04-09: Updated with tested Active Directory errorcodes

Sometimes actions fail, but the reason is that everything is OK. Such as adding a member to a group when the member is already a member of the group. (Always wanted to write that!). Or you just don't care that the action failed, you want the workflow to continue anyway and not end up in the On Fail event just yet.

If that's the case the Call script in case of error option is just what you need. This example is from 2010 but I believe it should still work. I don't have an LDAP server to test it on at the moment so please let me know if its broken. It accesses some specific objects to get the actual error so its quite nice to have around. You don't need to make it this advanced though. The only things you really need are:

- Check the error

- If you want the workflow to go on, execute uSkip(1,1);

- If you want to end the workflow and go to whatever On Error/Chain Error events exists, just exit the script or verify it using uSkip(1,2);

uSkip sets the exit state, first parameter is 1 for entry, 2 for pass (use in jobs only, not provision actions). The second parameter is state where 1 is OK, 2 is FAILED.


// Main function: myLdapErrorHandler 
// 
// Some LDAP servers reports an ERROR if a a multivalue add or del operation tries to add an existing or delete a non-existing value 
// This occurs for uniquemember, memberof and a few other multivalue attributes 
// Because this is reported as an error the workflow will stop... 
// This script checks if reported LDAP Error is
// ADS ADD operation:
//   68 - LDAP_ALREADY_EXISTS
//   Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to
//   rename an entry to the name of an entry that already exists.
// Example: Original mod exceptionjavax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562: ....
// SUN ADD operation:
// 20 - LDAP_TYPE_OR_VALUE_EXISTS
//    Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
// ADS DEL operation:
// 53 - LDAP_UNWILLING_TO_PERFORM
// Indicates that the LDAP server cannot process the request because of server-defined restrictions.
// Example: Exception from Modify operation:javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00000561: ...
// SUN DEL operation:
//    "LDAP: error code 16"
// and if the errocode matches we set provision status OK so that the workflow can continue. An error has already been
// logged so the runtime logfile will still have the errorcount increased and a red entry in the UI.
// 
// This script must be run as On Error in a To DSA pass 
// 
function myLDAPerrorhandler(Par){
   entry = uGetErrorInfo(); 
   if (entry != null) 
   { 
      UserFunc.uErrMsg(0,"myLDAPerrorhandler: Got data from errorInfo"); 
      attr = entry.firstAttr(); 
      LdapEntry = entry; 
      if (entry.containsKey("err_ModException")) 
      { 
         var exc = entry.get("err_ModException"); 
         var orig = exc.getOriginalException(); 
         if (orig != null) 
         { 
            UserFunc.uErrMsg(0, "myLDAPerrorhandler: Original mod exception" + orig); 
            addSUNPos=Instr(1,orig,"LDAP: error code 20",1); 
            addADSPos=Instr(1,orig,"LDAP: error code 68",1);
            delSUNPos=Instr(1,orig,"LDAP: error code 16",1); 
            delADSPos=Instr(1,orig,"LDAP: error code 53",1); 
            if (addSUNPos > 0 || addADSPos > 0) { 
               UserFunc.uErrMsg(0, "myLDAPerrorhandler: Error on multivalue add for existing value detected, setting provision OK"); 
               UserFunc.uSkip(1,1); 
            } 
            if (delSUNPos > 0 || delADSPos > 0) { 
               UserFunc.uErrMsg(0, "myLDAPerrorhandler: Error on multivalue delete of nonexisting value detected, setting provision OK"); 
               UserFunc.uSkip(1,1); 
            } 
         } 
      } 
   } 
}



Sample output from the Runtime Logs testing this with an Active Directory server:

Fail during ADD to member attriute in ADS because the person is already a member of the group:


09.04.2014 15:06:58 :I:initPass ToDSADirect: Test Add Person To Group


09.04.2014 15:06:58 :E:Failed storing CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc


09.04.2014 15:06:58 :E:Exception from Mod operation:ToDSADirect.modEntry CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc failed with NamingException. (LDAP error: The object already exists)


Explanation: [LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0


]


Remaining name: CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc


Resolved name:  - javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0


]; remaining name 'CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc'


09.04.2014 15:06:58 :I:myLDAPerrorhandler: Got data from errorInfo


09.04.2014 15:06:58 :I:myLDAPerrorhandler: Original mod exceptionjavax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000562: UpdErr: DSID-031A119B, problem 6005 (ENTRY_EXISTS), data 0


]; remaining name 'CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc'


09.04.2014 15:06:58 :I:myLDAPerrorhandler: Error on multivalue add for existing value detected, setting provision OK


09.04.2014 15:07:03 :I:exit ToDSADirect


09.04.2014 15:07:03 :I:ToDSA Direct pass completed in 5.363 seconds.


Fail during DEL from member attriute in ADS because the person is not a member of the group:


09.04.2014 15:12:21 :I:initPass ToDSADirect: Test Add Person To Group


09.04.2014 15:12:21 :E:Failed storing CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc


09.04.2014 15:12:21 :E:Exception from Mod operation:ToDSADirect.modEntry CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc failed with NamingException. (LDAP error: The server does not handle directory requests)


Explanation: [LDAP: error code 53 - 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0


]


Remaining name: CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc


Resolved name:  - javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0


]; remaining name 'CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc'


09.04.2014 15:12:21 :I:myLDAPerrorhandler: Got data from errorInfo


09.04.2014 15:12:21 :I:myLDAPerrorhandler: Original mod exceptionjavax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00000561: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0


]; remaining name 'CN=temporaryGroup3,CN=Groups,dc=enormo,dc=inc'


09.04.2014 15:12:21 :I:myLDAPerrorhandler: Error on multivalue delete of nonexisting value detected, setting provision OK


09.04.2014 15:12:26 :I:exit ToDSADirect


09.04.2014 15:12:26 :I:ToDSA Direct pass completed in 5.373 seconds.


Br,

Chris

5 Comments
Labels in this area